Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

Comey Talks Strong Crypto, Silent on WikiLeaks

FBI Director James Comey revived old rhetoric on strong encryption during a keynote at the Boston Conference on Cyber Security. He did not address the leak of CIA hacking tools or Russia during his talk.

CHESTNUT HILL, Ma.—FBI director James B. Comey today revived the Going Dark discussion during a keynote address at the Boston Conference on Cyber Security, saying it’s time for an adult conversation on the prevalence of strong encryption and how it hinders criminal and national security investigations.

Comey, during his 45-minute address at Boston College, did not address the expansive leaks of CIA hacking tools yesterday by WikiLeaks or Russia’s alleged manipulation of the U.S. presidential election. He did not take questions from media in attendance, though he did answer a few from attendees.

Comey’s stance on strong encryption has remained largely unchanged in the past two years, running in parallel with the growth in mainstream adoption of secure messaging applications such as Signal, WhatsApp and others. The director contends that strong crypto not only impedes investigations, but cuts the legs out from judicial warrants that allow law enforcement on the local and federal level to seize digital devices.

Comey said that between October and December of last year, the FBI took possession of 2,800 devices, and there were 1,200 that the bureau could not crack and access stored data.

“That’s a big deal,” Comey said.

Comey acknowledged that strong crypto has always been around, but prior to Edward Snowden’s leaks of NSA secrets, it was largely the purview of nation states and sophisticated criminal groups.

“These apps are now a default feature of much less sophisticated actors, drug dealers, bank robbers, pedophiles, some terrorists,” Comey said. “Their shadow is spreading across more of our work.”

In the past, Comey has challenged technology companies to try harder to come up with a reasonable solution that does not require a backdoor or one that weakens encryption. Today, he backed off the challenge to tech companies and called for a discussion among the relevant parties that he says share the same values.

“We have to have a hard conversation about what we’re doing,” Comey said.

“Metadata is limited, especially when we are obligated to prove guilt beyond a reasonable doubt,” Comey said. “We just can’t get there against a pedophile or a terrorist.”

“Other say that maybe you can develop a hacking tool. That’s expensive and it doesn’t scale,” Comey said, harkening back to the Apple-FBI debate. “Something like that cannot be used broadly because they are perishable.”

Comey tried to tug on some patriotic heart strings as well, pointing out that the country’s founders struck a bargain that the government cannot invade one’s privacy without probable cause and a court order. What they founding fathers were saying, Comey countered, is that with good reason, the government can invade one’s privacy.

“There is no absolute right to privacy,” Comey said, adding, “with respect to default, strong encryption, it changes that bargain, and shatters it, in my view.”

Comey began his keynote by explaining the FBI’s ranking of cyber adversaries, starting with nation states at the top (he named China, Russia, Iran and North Korea), followed by multinational crime syndicates that sometimes work on behalf of nation-states, followed by insiders, hacktivists and terrorists at the bottom of the stack. He also explained the importance of the FBI increasing the cost of attacks for hackers, one of the FBI’s five strategic goals. That strategy includes increasing international pressure to prosecute hackers, or at least name and shame them as the government did in the case of China’s PLA hackers or Iranian actors allegedly responsible for DDoS attacks against U.S. banks in 2012 and 2013.

“We want to make sure they feel our breath on their neck,” Comey said.

Discussion

Mr. Comey starts out by asking for an adult conversation...and then reverts to the puerile and disingenuous argument that encryption is somehow a magic bullet that makes all other investigative means infeasible and grants "absolute" privacy. No, someone does not have an "absolute" right to privacy...in fact, no rights are "absolute." But while a person has no absolute right to not being killed by their government...say, if they were holding hostages and were shot by a sniper to save other lives...that does not mean that law enforcement should be able to kill randomly and with impunity either.
Crypto does not grant absolute privacy, and it's time that law enforcement stopped lying to us with the pretense that it does. in fact, the increasingly digital nature of our society has given them better and faster ways of doing their jobs than ever before; everyone with a smartphone has a tracking device that leaves a trail of their movement, for example. License plate readers track the location of cars in every metropolitan area. Crypto does not obviate any of this; it's nothing more than a slight limiter on one aspect of investigations.
Comey, like others in his profession, needs to stop stomping his feet and whining that he's not having his cake and eating it too.

Comey's arguments that metadata just isn't enough are nonsensical. Are we supposed to believe that a competent DA can't get a conviction against someone with metadata records showing that they frequently log in to "Pervo's Pre-Pubescent Porn Palace" or "Tariq's Terrorist Tactical Team"?

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.